There are many launchers Spoutcraft, TechnicLauncher and MagicLauncher being the most common , and they are very popular and easy to do a background check on. It'd be easy to find out if these launchers have stolen passwords in the past. Not only can you do background checks, but applets set out to steal such information would have some code in them that would be noticeable and detectable by the user.
IMHO, if you're stupid enough to download something that steals your passwords, you deserve it. Most things that do steal passwords are quite obvious and easy to avoid. You forget that there are a lot of children playing, who are way less careful. Of-course the threat remains there with any download but it wouldn't be a lot of effort to make the file more secure. Or they could try to restrict the access a mod has, currently mods in general are not secure, and don't forget that mods are a HUGE part of Minecraft.
I don't think this is actually possible. Minecraft mods alter the source code of Minecraft; any safety features designed to limit mods could be removed by those same mods. This comes back to user liability. Kids should have their parents at least checking what their child is downloading.
- Mojang | Minecraft Accounts.
- Navigation menu!
- download openoffice writer for mac.
- f2 edit cell mac excel.
- Simple Guide to Create Your Free Minecraft Account?
- Make Minecraft work on Mac OSX Yosemite with latest Java 8.
Not to mention the easiest way to protect yourself: Change your password once monthly and make sure it is complicated, using numbers and letters that are both uppercase and lowercase. One thing that's important to remember is that every time you allow arbitrary code to be run on your machine such as a mod or any other type of executable download you're basically handing control of your machine over to the person who wrote the code. They have the ability to do far worse than steal your Minecraft password. The lesson here is: never trust executable code from an unknown source.
In this day and age, that should just be common sense. All they have to do is copy the file. Even a new copy of Minecraft can decrypt it. It's not read protected or stored in a secure manner so it's not out of the question that someone could do so. If storing a hash is all that is needed to create a login, then stealing the hash will result in someone else being able to log in.
No different than before. Many systems that use tokens even systems that don't still require you to enter the old password in order to set a new one, or to make any significant changes to the account or perform actions that could result in a credit card charge. Once the user is running malicious software, it's game over.
The only solution to the "problem" you're describing is to not store any record of the password at all on the client. If you still want a "remember me" feature, this is not possible. Most people here are not security experts and have no business offering solutions to a security problem. There is no easy solution to this problem. If the credentials to log in to the game are stored on your computer, there is nothing to prevent a mod from getting those credentials. The best you can do in this case is have the minecraft servers generate some kind of cookie or token that can be used only to log in, but not to change password or anything else, and can be revoked at any time from the website.
I'd also like to point out that any other programs that stores passwords do so with a minimal amount of encryption or none at all. Really, none is safest because there's no false sense of security. I'd also like to point out that most operating systems have password-storing functionality for just this purpose: Mac has its Keychain, Gnome has Keyring, and KDE has KWallet. Windows probably has something too. I don't know much about those though and couldn't say how much more secure they'd be if at all.
The lastlogin file might as well be cleartext It's a simple solution, but it works it would have to be unique to each person to be used on a large scale. Actually, it doesn't matter how long the password is. No matter the length, you can easily decrypt it.
Actually, this is incorrect. I tested this by changing my password to a very long, very complicated one.
Minecraft: Education Edition on the App Store
Then, I used a tool called MCExploit, seen working here. You might want to brush up on your subject matter then.
- How do I find my Minecraft username? – BLOCKLANDIA.
- How to play Minecraft for free.
- adobe photoshop cs6 serial generator mac.
- Want to add to the discussion?!
- THANK YOU!.
- Minecraft Realms | Minecraft.
- poner subtitulos a una pelicula mac!
Decryption, as in this case where the cipher is easily obtainable, is generally completed on a linear time scale. Brute-forcing a password, based on a known hash or otherwise, is what increases the time scale exponentially based on the length and character complexity of the password. I know that brute-forcing is the only place where password length matters. That's what I was referring to.
Packet sniffing, social engineering, obtaining saved passwords, etc. I've got freeware that will steal your saved passwords from Chrome and IE.
How to Create a Minecraft Server
I was just saying that password length matters when the attacker doesn't have access to you or the network. The thing is, if you were talking about bruteforcing, then that has no place here. We are talking about decrypting minecraft lastlogin files, not bruteforcing other passwords. As well, stealers such as you said usually come with the ability to send logs and passwords through smtp, so access to their network is not necessary. I know, I was just pointing out that long passwords are typically better because most people only know how to bruteforce.
Sure, you can decrypt the lastlogin file which doesn't take long at all , or you can get the URL that the launcher is trying to access from a remote computer, if that'd work. Thanks for the heads up. Up vote for relevance and pointing out the flaw.
More Blogs by Tdonny
You and OP are looking out for us, it's nice. Thank you :. As an English major and for the benefit of others like me, what the fuck does all this mean and how do I make it better? Anyone with access your computer has access to your Minecraft password. Use different passwords for all your accounts, that's the best way to make things okay for right now. This really needs to be fixed, though. I consider it insulting and rude for a company to do this to me. I paid for my product and that product's vendor should take the security of my ownership seriously. I'm not really mad or anything, just annoyed that this has gone on for this long.
It's not their job to protect you from screwing-up while trying to modify their product. It would be like complaining that your breaks went out after you tried to modify the timing on your ABS. How would hashing the password help? It would make it impossible for the game to recover the actual password, so the entire point of storing passwords would be defeated. The idea is that the login servers perform the same hash on their record of your password. If the two hashes are the same, then your password is almost surely correct.
- How to make Minecraft work on Mac OSX Yosemite with latest Java 8.
- tijdlijn maken in word mac.
- Minecraft's saved password has bad encryption.?
- Contact Us.
Okay, yes, we're talking about the locally saved password, the one that auto-fills your login details when you open up Minecraft so you don't have to type in your username and password every time you start playing. It's encrypted already, but the decryption key is pretty easy to get so it's not that secure. I don't know whether the password is hashed when it's sent to minecraft. I'd assume so, that's network security It isn't.
The client has the hash and the server has a hash.
The hash is changed every time you login. You can't use the hash to change the password. When a malicious mod steals your current password hash, and immediately logs in using it, the servers will issue the attacker the new hash and you'll be left with a stale hash that doesn't work. You also couldn't log into the same account from two different computers for the same reason.